Annotation of src/usr.bin/ssh/ssh-keygen.c, Revision 1.117.2.2
1.1 deraadt 1: /*
1.13 deraadt 2: * Author: Tatu Ylonen <ylo@cs.hut.fi>
3: * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
4: * All rights reserved
5: * Identity and host key generation and maintenance.
1.31 deraadt 6: *
7: * As far as I am concerned, the code I have written for this software
8: * can be used freely for any purpose. Any derived versions of this
9: * software must be clearly marked as such, and if the derived work is
10: * incompatible with the protocol description in the RFC file, it must be
11: * called by a name other than "ssh" or "Secure Shell".
1.13 deraadt 12: */
1.1 deraadt 13:
14: #include "includes.h"
1.117.2.2! brad 15: RCSID("$OpenBSD: ssh-keygen.c,v 1.122 2005/03/11 14:59:06 markus Exp $");
1.19 markus 16:
17: #include <openssl/evp.h>
18: #include <openssl/pem.h>
1.1 deraadt 19:
20: #include "xmalloc.h"
1.19 markus 21: #include "key.h"
1.53 markus 22: #include "rsa.h"
1.19 markus 23: #include "authfile.h"
24: #include "uuencode.h"
1.32 markus 25: #include "buffer.h"
26: #include "bufaux.h"
1.40 markus 27: #include "pathnames.h"
1.41 markus 28: #include "log.h"
1.114 djm 29: #include "misc.h"
1.117.2.1 brad 30: #include "match.h"
31: #include "hostfile.h"
1.32 markus 32:
1.75 markus 33: #ifdef SMARTCARD
34: #include "scard.h"
1.106 djm 35: #endif
36: #include "dns.h"
1.66 markus 37:
1.19 markus 38: /* Number of bits in the RSA/DSA key. This value can be changed on the command line. */
1.1 deraadt 39: int bits = 1024;
40:
1.14 markus 41: /*
42: * Flag indicating that we just want to change the passphrase. This can be
43: * set on the command line.
44: */
1.1 deraadt 45: int change_passphrase = 0;
46:
1.14 markus 47: /*
48: * Flag indicating that we just want to change the comment. This can be set
49: * on the command line.
50: */
1.1 deraadt 51: int change_comment = 0;
52:
1.2 provos 53: int quiet = 0;
54:
1.117.2.1 brad 55: /* Flag indicating that we want to hash a known_hosts file */
56: int hash_hosts = 0;
57: /* Flag indicating that we want lookup a host in known_hosts file */
58: int find_host = 0;
59: /* Flag indicating that we want to delete a host from a known_hosts file */
60: int delete_host = 0;
61:
1.8 markus 62: /* Flag indicating that we just want to see the key fingerprint */
63: int print_fingerprint = 0;
1.49 markus 64: int print_bubblebabble = 0;
1.8 markus 65:
1.10 markus 66: /* The identity file name, given on the command line or entered by the user. */
67: char identity_file[1024];
68: int have_identity = 0;
1.1 deraadt 69:
70: /* This is set to the passphrase if given on the command line. */
71: char *identity_passphrase = NULL;
72:
73: /* This is set to the new passphrase if given on the command line. */
74: char *identity_new_passphrase = NULL;
75:
76: /* This is set to the new comment if given on the command line. */
77: char *identity_comment = NULL;
78:
1.19 markus 79: /* Dump public key file in format used by real and the original SSH 2 */
80: int convert_to_ssh2 = 0;
81: int convert_from_ssh2 = 0;
82: int print_public = 0;
1.105 jakob 83: int print_generic = 0;
1.33 markus 84:
1.87 djm 85: char *key_type_name = NULL;
1.19 markus 86:
1.10 markus 87: /* argv0 */
88: extern char *__progname;
1.1 deraadt 89:
1.19 markus 90: char hostname[MAXHOSTNAMELEN];
91:
1.115 djm 92: /* moduli.c */
93: int gen_candidates(FILE *, int, int, BIGNUM *);
94: int prime_test(FILE *, FILE *, u_int32_t, u_int32_t);
95:
1.63 itojun 96: static void
1.10 markus 97: ask_filename(struct passwd *pw, const char *prompt)
1.1 deraadt 98: {
1.12 markus 99: char buf[1024];
1.35 markus 100: char *name = NULL;
101:
1.92 stevesk 102: if (key_type_name == NULL)
1.40 markus 103: name = _PATH_SSH_CLIENT_ID_RSA;
1.92 stevesk 104: else
105: switch (key_type_from_name(key_type_name)) {
106: case KEY_RSA1:
107: name = _PATH_SSH_CLIENT_IDENTITY;
108: break;
109: case KEY_DSA:
110: name = _PATH_SSH_CLIENT_ID_DSA;
111: break;
112: case KEY_RSA:
113: name = _PATH_SSH_CLIENT_ID_RSA;
114: break;
115: default:
116: fprintf(stderr, "bad key type");
117: exit(1);
118: break;
119: }
120:
1.35 markus 121: snprintf(identity_file, sizeof(identity_file), "%s/%s", pw->pw_dir, name);
1.37 markus 122: fprintf(stderr, "%s (%s): ", prompt, identity_file);
1.12 markus 123: if (fgets(buf, sizeof(buf), stdin) == NULL)
124: exit(1);
125: if (strchr(buf, '\n'))
126: *strchr(buf, '\n') = 0;
127: if (strcmp(buf, "") != 0)
128: strlcpy(identity_file, buf, sizeof(identity_file));
129: have_identity = 1;
1.7 markus 130: }
131:
1.63 itojun 132: static Key *
1.61 markus 133: load_identity(char *filename)
1.19 markus 134: {
1.52 markus 135: char *pass;
136: Key *prv;
137:
1.55 markus 138: prv = key_load_private(filename, "", NULL);
1.52 markus 139: if (prv == NULL) {
1.61 markus 140: if (identity_passphrase)
141: pass = xstrdup(identity_passphrase);
142: else
1.65 markus 143: pass = read_passphrase("Enter passphrase: ",
144: RP_ALLOW_STDIN);
1.52 markus 145: prv = key_load_private(filename, pass, NULL);
1.19 markus 146: memset(pass, 0, strlen(pass));
147: xfree(pass);
148: }
1.52 markus 149: return prv;
1.19 markus 150: }
151:
1.32 markus 152: #define SSH_COM_PUBLIC_BEGIN "---- BEGIN SSH2 PUBLIC KEY ----"
1.100 deraadt 153: #define SSH_COM_PUBLIC_END "---- END SSH2 PUBLIC KEY ----"
1.32 markus 154: #define SSH_COM_PRIVATE_BEGIN "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----"
1.42 stevesk 155: #define SSH_COM_PRIVATE_KEY_MAGIC 0x3f6ff9eb
1.19 markus 156:
1.63 itojun 157: static void
1.19 markus 158: do_convert_to_ssh2(struct passwd *pw)
159: {
1.59 markus 160: Key *k;
1.94 markus 161: u_int len;
1.36 markus 162: u_char *blob;
1.19 markus 163: struct stat st;
164:
165: if (!have_identity)
166: ask_filename(pw, "Enter file in which the key is");
167: if (stat(identity_file, &st) < 0) {
168: perror(identity_file);
169: exit(1);
170: }
1.59 markus 171: if ((k = key_load_public(identity_file, NULL)) == NULL) {
1.61 markus 172: if ((k = load_identity(identity_file)) == NULL) {
1.59 markus 173: fprintf(stderr, "load failed\n");
174: exit(1);
175: }
1.104 markus 176: }
177: if (k->type == KEY_RSA1) {
178: fprintf(stderr, "version 1 keys are not supported\n");
179: exit(1);
1.19 markus 180: }
1.81 markus 181: if (key_to_blob(k, &blob, &len) <= 0) {
182: fprintf(stderr, "key_to_blob failed\n");
183: exit(1);
184: }
1.32 markus 185: fprintf(stdout, "%s\n", SSH_COM_PUBLIC_BEGIN);
1.19 markus 186: fprintf(stdout,
1.101 deraadt 187: "Comment: \"%u-bit %s, converted from OpenSSH by %s@%s\"\n",
1.59 markus 188: key_size(k), key_type(k),
1.19 markus 189: pw->pw_name, hostname);
190: dump_base64(stdout, blob, len);
1.32 markus 191: fprintf(stdout, "%s\n", SSH_COM_PUBLIC_END);
1.59 markus 192: key_free(k);
1.21 markus 193: xfree(blob);
1.19 markus 194: exit(0);
195: }
196:
1.63 itojun 197: static void
1.32 markus 198: buffer_get_bignum_bits(Buffer *b, BIGNUM *value)
199: {
1.116 avsm 200: u_int bignum_bits = buffer_get_int(b);
201: u_int bytes = (bignum_bits + 7) / 8;
1.53 markus 202:
1.32 markus 203: if (buffer_len(b) < bytes)
1.53 markus 204: fatal("buffer_get_bignum_bits: input buffer too small: "
205: "need %d have %d", bytes, buffer_len(b));
1.89 stevesk 206: BN_bin2bn(buffer_ptr(b), bytes, value);
1.32 markus 207: buffer_consume(b, bytes);
208: }
209:
1.63 itojun 210: static Key *
1.93 markus 211: do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
1.32 markus 212: {
213: Buffer b;
214: Key *key = NULL;
1.64 markus 215: char *type, *cipher;
1.69 stevesk 216: u_char *sig, data[] = "abcde12345";
1.62 markus 217: int magic, rlen, ktype, i1, i2, i3, i4;
1.64 markus 218: u_int slen;
1.62 markus 219: u_long e;
1.32 markus 220:
221: buffer_init(&b);
222: buffer_append(&b, blob, blen);
223:
224: magic = buffer_get_int(&b);
225: if (magic != SSH_COM_PRIVATE_KEY_MAGIC) {
226: error("bad magic 0x%x != 0x%x", magic, SSH_COM_PRIVATE_KEY_MAGIC);
227: buffer_free(&b);
228: return NULL;
229: }
1.62 markus 230: i1 = buffer_get_int(&b);
1.32 markus 231: type = buffer_get_string(&b, NULL);
232: cipher = buffer_get_string(&b, NULL);
1.62 markus 233: i2 = buffer_get_int(&b);
234: i3 = buffer_get_int(&b);
235: i4 = buffer_get_int(&b);
236: debug("ignore (%d %d %d %d)", i1,i2,i3,i4);
1.32 markus 237: if (strcmp(cipher, "none") != 0) {
238: error("unsupported cipher %s", cipher);
239: xfree(cipher);
240: buffer_free(&b);
1.53 markus 241: xfree(type);
1.32 markus 242: return NULL;
243: }
244: xfree(cipher);
245:
1.53 markus 246: if (strstr(type, "dsa")) {
247: ktype = KEY_DSA;
248: } else if (strstr(type, "rsa")) {
249: ktype = KEY_RSA;
250: } else {
1.117.2.1 brad 251: buffer_free(&b);
1.53 markus 252: xfree(type);
1.32 markus 253: return NULL;
254: }
1.53 markus 255: key = key_new_private(ktype);
256: xfree(type);
257:
258: switch (key->type) {
259: case KEY_DSA:
260: buffer_get_bignum_bits(&b, key->dsa->p);
261: buffer_get_bignum_bits(&b, key->dsa->g);
262: buffer_get_bignum_bits(&b, key->dsa->q);
263: buffer_get_bignum_bits(&b, key->dsa->pub_key);
264: buffer_get_bignum_bits(&b, key->dsa->priv_key);
265: break;
266: case KEY_RSA:
1.62 markus 267: e = buffer_get_char(&b);
268: debug("e %lx", e);
269: if (e < 30) {
270: e <<= 8;
271: e += buffer_get_char(&b);
272: debug("e %lx", e);
273: e <<= 8;
274: e += buffer_get_char(&b);
275: debug("e %lx", e);
276: }
277: if (!BN_set_word(key->rsa->e, e)) {
1.53 markus 278: buffer_free(&b);
279: key_free(key);
280: return NULL;
281: }
282: buffer_get_bignum_bits(&b, key->rsa->d);
283: buffer_get_bignum_bits(&b, key->rsa->n);
284: buffer_get_bignum_bits(&b, key->rsa->iqmp);
285: buffer_get_bignum_bits(&b, key->rsa->q);
286: buffer_get_bignum_bits(&b, key->rsa->p);
1.68 markus 287: rsa_generate_additional_parameters(key->rsa);
1.53 markus 288: break;
289: }
1.32 markus 290: rlen = buffer_len(&b);
1.85 deraadt 291: if (rlen != 0)
1.53 markus 292: error("do_convert_private_ssh2_from_blob: "
293: "remaining bytes in key blob %d", rlen);
1.32 markus 294: buffer_free(&b);
1.64 markus 295:
296: /* try the key */
297: key_sign(key, &sig, &slen, data, sizeof(data));
298: key_verify(key, sig, slen, data, sizeof(data));
299: xfree(sig);
1.32 markus 300: return key;
301: }
302:
1.63 itojun 303: static void
1.19 markus 304: do_convert_from_ssh2(struct passwd *pw)
305: {
306: Key *k;
307: int blen;
1.98 markus 308: u_int len;
1.19 markus 309: char line[1024], *p;
1.80 stevesk 310: u_char blob[8096];
1.19 markus 311: char encoded[8096];
312: struct stat st;
1.32 markus 313: int escaped = 0, private = 0, ok;
1.19 markus 314: FILE *fp;
315:
316: if (!have_identity)
317: ask_filename(pw, "Enter file in which the key is");
318: if (stat(identity_file, &st) < 0) {
319: perror(identity_file);
320: exit(1);
321: }
322: fp = fopen(identity_file, "r");
323: if (fp == NULL) {
324: perror(identity_file);
325: exit(1);
326: }
327: encoded[0] = '\0';
328: while (fgets(line, sizeof(line), fp)) {
1.25 markus 329: if (!(p = strchr(line, '\n'))) {
330: fprintf(stderr, "input line too long.\n");
331: exit(1);
332: }
333: if (p > line && p[-1] == '\\')
334: escaped++;
1.19 markus 335: if (strncmp(line, "----", 4) == 0 ||
336: strstr(line, ": ") != NULL) {
1.32 markus 337: if (strstr(line, SSH_COM_PRIVATE_BEGIN) != NULL)
338: private = 1;
1.64 markus 339: if (strstr(line, " END ") != NULL) {
340: break;
341: }
1.60 markus 342: /* fprintf(stderr, "ignore: %s", line); */
1.19 markus 343: continue;
344: }
1.25 markus 345: if (escaped) {
346: escaped--;
1.60 markus 347: /* fprintf(stderr, "escaped: %s", line); */
1.25 markus 348: continue;
1.19 markus 349: }
350: *p = '\0';
351: strlcat(encoded, line, sizeof(encoded));
352: }
1.98 markus 353: len = strlen(encoded);
354: if (((len % 4) == 3) &&
355: (encoded[len-1] == '=') &&
356: (encoded[len-2] == '=') &&
357: (encoded[len-3] == '='))
358: encoded[len-3] = '\0';
1.91 stevesk 359: blen = uudecode(encoded, blob, sizeof(blob));
1.19 markus 360: if (blen < 0) {
361: fprintf(stderr, "uudecode failed.\n");
362: exit(1);
363: }
1.32 markus 364: k = private ?
365: do_convert_private_ssh2_from_blob(blob, blen) :
1.33 markus 366: key_from_blob(blob, blen);
1.32 markus 367: if (k == NULL) {
368: fprintf(stderr, "decode blob failed.\n");
369: exit(1);
370: }
371: ok = private ?
1.53 markus 372: (k->type == KEY_DSA ?
373: PEM_write_DSAPrivateKey(stdout, k->dsa, NULL, NULL, 0, NULL, NULL) :
374: PEM_write_RSAPrivateKey(stdout, k->rsa, NULL, NULL, 0, NULL, NULL)) :
1.32 markus 375: key_write(k, stdout);
376: if (!ok) {
377: fprintf(stderr, "key write failed");
378: exit(1);
379: }
1.19 markus 380: key_free(k);
1.90 markus 381: if (!private)
382: fprintf(stdout, "\n");
1.19 markus 383: fclose(fp);
384: exit(0);
385: }
386:
1.63 itojun 387: static void
1.19 markus 388: do_print_public(struct passwd *pw)
389: {
1.52 markus 390: Key *prv;
1.19 markus 391: struct stat st;
392:
393: if (!have_identity)
394: ask_filename(pw, "Enter file in which the key is");
395: if (stat(identity_file, &st) < 0) {
396: perror(identity_file);
397: exit(1);
398: }
1.61 markus 399: prv = load_identity(identity_file);
1.52 markus 400: if (prv == NULL) {
1.19 markus 401: fprintf(stderr, "load failed\n");
402: exit(1);
403: }
1.52 markus 404: if (!key_write(prv, stdout))
1.19 markus 405: fprintf(stderr, "key_write failed");
1.52 markus 406: key_free(prv);
1.19 markus 407: fprintf(stdout, "\n");
408: exit(0);
409: }
410:
1.74 markus 411: #ifdef SMARTCARD
1.66 markus 412: static void
1.75 markus 413: do_upload(struct passwd *pw, const char *sc_reader_id)
1.66 markus 414: {
415: Key *prv = NULL;
416: struct stat st;
1.95 markus 417: int ret;
1.66 markus 418:
419: if (!have_identity)
420: ask_filename(pw, "Enter file in which the key is");
421: if (stat(identity_file, &st) < 0) {
422: perror(identity_file);
1.95 markus 423: exit(1);
1.66 markus 424: }
425: prv = load_identity(identity_file);
426: if (prv == NULL) {
427: error("load failed");
1.95 markus 428: exit(1);
1.66 markus 429: }
1.95 markus 430: ret = sc_put_key(prv, sc_reader_id);
431: key_free(prv);
432: if (ret < 0)
433: exit(1);
1.103 itojun 434: logit("loading key done");
1.95 markus 435: exit(0);
1.74 markus 436: }
1.75 markus 437:
438: static void
439: do_download(struct passwd *pw, const char *sc_reader_id)
440: {
1.97 markus 441: Key **keys = NULL;
442: int i;
1.75 markus 443:
1.97 markus 444: keys = sc_get_keys(sc_reader_id, NULL);
445: if (keys == NULL)
1.75 markus 446: fatal("cannot read public key from smartcard");
1.97 markus 447: for (i = 0; keys[i]; i++) {
448: key_write(keys[i], stdout);
449: key_free(keys[i]);
450: fprintf(stdout, "\n");
451: }
452: xfree(keys);
1.75 markus 453: exit(0);
454: }
1.78 jakob 455: #endif /* SMARTCARD */
1.66 markus 456:
1.63 itojun 457: static void
1.8 markus 458: do_fingerprint(struct passwd *pw)
459: {
1.15 markus 460: FILE *f;
1.19 markus 461: Key *public;
1.49 markus 462: char *comment = NULL, *cp, *ep, line[16*1024], *fp;
1.84 stevesk 463: int i, skip = 0, num = 1, invalid = 1;
464: enum fp_rep rep;
465: enum fp_type fptype;
1.12 markus 466: struct stat st;
467:
1.52 markus 468: fptype = print_bubblebabble ? SSH_FP_SHA1 : SSH_FP_MD5;
469: rep = print_bubblebabble ? SSH_FP_BUBBLEBABBLE : SSH_FP_HEX;
1.49 markus 470:
1.12 markus 471: if (!have_identity)
472: ask_filename(pw, "Enter file in which the key is");
473: if (stat(identity_file, &st) < 0) {
474: perror(identity_file);
475: exit(1);
476: }
1.52 markus 477: public = key_load_public(identity_file, &comment);
478: if (public != NULL) {
479: fp = key_fingerprint(public, fptype, rep);
1.101 deraadt 480: printf("%u %s %s\n", key_size(public), fp, comment);
1.33 markus 481: key_free(public);
482: xfree(comment);
1.49 markus 483: xfree(fp);
1.15 markus 484: exit(0);
485: }
1.52 markus 486: if (comment)
487: xfree(comment);
1.15 markus 488:
489: f = fopen(identity_file, "r");
490: if (f != NULL) {
491: while (fgets(line, sizeof(line), f)) {
492: i = strlen(line) - 1;
493: if (line[i] != '\n') {
494: error("line %d too long: %.40s...", num, line);
495: skip = 1;
496: continue;
497: }
498: num++;
499: if (skip) {
500: skip = 0;
501: continue;
502: }
503: line[i] = '\0';
504:
505: /* Skip leading whitespace, empty and comment lines. */
506: for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
507: ;
508: if (!*cp || *cp == '\n' || *cp == '#')
509: continue ;
510: i = strtol(cp, &ep, 10);
511: if (i == 0 || ep == NULL || (*ep != ' ' && *ep != '\t')) {
512: int quoted = 0;
513: comment = cp;
1.101 deraadt 514: for (; *cp && (quoted || (*cp != ' ' &&
515: *cp != '\t')); cp++) {
1.15 markus 516: if (*cp == '\\' && cp[1] == '"')
517: cp++; /* Skip both */
518: else if (*cp == '"')
519: quoted = !quoted;
520: }
521: if (!*cp)
522: continue;
523: *cp++ = '\0';
524: }
525: ep = cp;
1.38 markus 526: public = key_new(KEY_RSA1);
527: if (key_read(public, &cp) != 1) {
528: cp = ep;
529: key_free(public);
530: public = key_new(KEY_UNSPEC);
531: if (key_read(public, &cp) != 1) {
532: key_free(public);
533: continue;
534: }
1.12 markus 535: }
1.38 markus 536: comment = *cp ? cp : comment;
1.52 markus 537: fp = key_fingerprint(public, fptype, rep);
1.101 deraadt 538: printf("%u %s %s\n", key_size(public), fp,
1.38 markus 539: comment ? comment : "no comment");
1.49 markus 540: xfree(fp);
1.52 markus 541: key_free(public);
1.38 markus 542: invalid = 0;
1.12 markus 543: }
1.15 markus 544: fclose(f);
545: }
546: if (invalid) {
1.83 markus 547: printf("%s is not a public key file.\n", identity_file);
1.15 markus 548: exit(1);
1.12 markus 549: }
550: exit(0);
1.8 markus 551: }
552:
1.117.2.1 brad 553: static void
554: print_host(FILE *f, char *name, Key *public, int hash)
555: {
556: if (hash && (name = host_hash(name, NULL, 0)) == NULL)
557: fatal("hash_host failed");
558: fprintf(f, "%s ", name);
559: if (!key_write(public, f))
560: fatal("key_write failed");
561: fprintf(f, "\n");
562: }
563:
564: static void
565: do_known_hosts(struct passwd *pw, const char *name)
566: {
567: FILE *in, *out = stdout;
568: Key *public;
569: char *cp, *cp2, *kp, *kp2;
570: char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN];
571: int c, i, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0;
572:
573: if (!have_identity) {
574: cp = tilde_expand_filename(_PATH_SSH_USER_HOSTFILE, pw->pw_uid);
575: if (strlcpy(identity_file, cp, sizeof(identity_file)) >=
576: sizeof(identity_file))
577: fatal("Specified known hosts path too long");
578: xfree(cp);
579: have_identity = 1;
580: }
581: if ((in = fopen(identity_file, "r")) == NULL)
582: fatal("fopen: %s", strerror(errno));
583:
584: /*
585: * Find hosts goes to stdout, hash and deletions happen in-place
586: * A corner case is ssh-keygen -HF foo, which should go to stdout
587: */
588: if (!find_host && (hash_hosts || delete_host)) {
589: if (strlcpy(tmp, identity_file, sizeof(tmp)) >= sizeof(tmp) ||
590: strlcat(tmp, ".XXXXXXXXXX", sizeof(tmp)) >= sizeof(tmp) ||
591: strlcpy(old, identity_file, sizeof(old)) >= sizeof(old) ||
592: strlcat(old, ".old", sizeof(old)) >= sizeof(old))
593: fatal("known_hosts path too long");
594: umask(077);
595: if ((c = mkstemp(tmp)) == -1)
596: fatal("mkstemp: %s", strerror(errno));
597: if ((out = fdopen(c, "w")) == NULL) {
598: c = errno;
599: unlink(tmp);
600: fatal("fdopen: %s", strerror(c));
601: }
602: inplace = 1;
603: }
604:
605: while (fgets(line, sizeof(line), in)) {
606: num++;
607: i = strlen(line) - 1;
608: if (line[i] != '\n') {
609: error("line %d too long: %.40s...", num, line);
610: skip = 1;
611: invalid = 1;
612: continue;
613: }
614: if (skip) {
615: skip = 0;
616: continue;
617: }
618: line[i] = '\0';
619:
620: /* Skip leading whitespace, empty and comment lines. */
621: for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
622: ;
623: if (!*cp || *cp == '\n' || *cp == '#') {
624: if (inplace)
625: fprintf(out, "%s\n", cp);
626: continue;
627: }
628: /* Find the end of the host name portion. */
629: for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++)
630: ;
631: if (*kp == '\0' || *(kp + 1) == '\0') {
632: error("line %d missing key: %.40s...",
633: num, line);
634: invalid = 1;
635: continue;
636: }
637: *kp++ = '\0';
638: kp2 = kp;
639:
640: public = key_new(KEY_RSA1);
641: if (key_read(public, &kp) != 1) {
642: kp = kp2;
643: key_free(public);
644: public = key_new(KEY_UNSPEC);
645: if (key_read(public, &kp) != 1) {
646: error("line %d invalid key: %.40s...",
647: num, line);
648: key_free(public);
649: invalid = 1;
650: continue;
651: }
652: }
653:
654: if (*cp == HASH_DELIM) {
655: if (find_host || delete_host) {
656: cp2 = host_hash(name, cp, strlen(cp));
657: if (cp2 == NULL) {
658: error("line %d: invalid hashed "
659: "name: %.64s...", num, line);
660: invalid = 1;
661: continue;
662: }
663: c = (strcmp(cp2, cp) == 0);
664: if (find_host && c) {
665: printf("# Host %s found: "
666: "line %d type %s\n", name,
667: num, key_type(public));
668: print_host(out, cp, public, 0);
669: }
670: if (delete_host && !c)
671: print_host(out, cp, public, 0);
672: } else if (hash_hosts)
673: print_host(out, cp, public, 0);
674: } else {
675: if (find_host || delete_host) {
676: c = (match_hostname(name, cp,
677: strlen(cp)) == 1);
678: if (find_host && c) {
679: printf("# Host %s found: "
680: "line %d type %s\n", name,
681: num, key_type(public));
682: print_host(out, cp, public, hash_hosts);
683: }
684: if (delete_host && !c)
685: print_host(out, cp, public, 0);
686: } else if (hash_hosts) {
1.117.2.2! brad 687: for (cp2 = strsep(&cp, ",");
1.117.2.1 brad 688: cp2 != NULL && *cp2 != '\0';
689: cp2 = strsep(&cp, ",")) {
690: if (strcspn(cp2, "*?!") != strlen(cp2))
691: fprintf(stderr, "Warning: "
692: "ignoring host name with "
693: "metacharacters: %.64s\n",
694: cp2);
695: else
696: print_host(out, cp2, public, 1);
697: }
698: has_unhashed = 1;
699: }
700: }
701: key_free(public);
702: }
703: fclose(in);
704:
705: if (invalid) {
706: fprintf(stderr, "%s is not a valid known_host file.\n",
707: identity_file);
708: if (inplace) {
709: fprintf(stderr, "Not replacing existing known_hosts "
1.117.2.2! brad 710: "file because of errors\n");
1.117.2.1 brad 711: fclose(out);
712: unlink(tmp);
713: }
714: exit(1);
715: }
716:
717: if (inplace) {
718: fclose(out);
719:
720: /* Backup existing file */
721: if (unlink(old) == -1 && errno != ENOENT)
722: fatal("unlink %.100s: %s", old, strerror(errno));
723: if (link(identity_file, old) == -1)
724: fatal("link %.100s to %.100s: %s", identity_file, old,
725: strerror(errno));
726: /* Move new one into place */
727: if (rename(tmp, identity_file) == -1) {
728: error("rename\"%s\" to \"%s\": %s", tmp, identity_file,
729: strerror(errno));
730: unlink(tmp);
731: unlink(old);
732: exit(1);
733: }
734:
735: fprintf(stderr, "%s updated.\n", identity_file);
736: fprintf(stderr, "Original contents retained as %s\n", old);
737: if (has_unhashed) {
738: fprintf(stderr, "WARNING: %s contains unhashed "
739: "entries\n", old);
740: fprintf(stderr, "Delete this file to ensure privacy "
741: "of hostnames\n");
742: }
743: }
744:
745: exit(0);
746: }
747:
1.13 deraadt 748: /*
749: * Perform changing a passphrase. The argument is the passwd structure
750: * for the current user.
751: */
1.63 itojun 752: static void
1.7 markus 753: do_change_passphrase(struct passwd *pw)
754: {
1.12 markus 755: char *comment;
756: char *old_passphrase, *passphrase1, *passphrase2;
757: struct stat st;
1.19 markus 758: Key *private;
1.12 markus 759:
760: if (!have_identity)
761: ask_filename(pw, "Enter file in which the key is");
762: if (stat(identity_file, &st) < 0) {
763: perror(identity_file);
764: exit(1);
765: }
766: /* Try to load the file with empty passphrase. */
1.52 markus 767: private = key_load_private(identity_file, "", &comment);
768: if (private == NULL) {
1.12 markus 769: if (identity_passphrase)
770: old_passphrase = xstrdup(identity_passphrase);
771: else
1.65 markus 772: old_passphrase =
773: read_passphrase("Enter old passphrase: ",
774: RP_ALLOW_STDIN);
775: private = key_load_private(identity_file, old_passphrase,
776: &comment);
1.52 markus 777: memset(old_passphrase, 0, strlen(old_passphrase));
778: xfree(old_passphrase);
779: if (private == NULL) {
1.12 markus 780: printf("Bad passphrase.\n");
781: exit(1);
782: }
783: }
784: printf("Key has comment '%s'\n", comment);
785:
786: /* Ask the new passphrase (twice). */
787: if (identity_new_passphrase) {
788: passphrase1 = xstrdup(identity_new_passphrase);
789: passphrase2 = NULL;
790: } else {
791: passphrase1 =
1.65 markus 792: read_passphrase("Enter new passphrase (empty for no "
793: "passphrase): ", RP_ALLOW_STDIN);
794: passphrase2 = read_passphrase("Enter same passphrase again: ",
1.86 deraadt 795: RP_ALLOW_STDIN);
1.12 markus 796:
797: /* Verify that they are the same. */
798: if (strcmp(passphrase1, passphrase2) != 0) {
799: memset(passphrase1, 0, strlen(passphrase1));
800: memset(passphrase2, 0, strlen(passphrase2));
801: xfree(passphrase1);
802: xfree(passphrase2);
803: printf("Pass phrases do not match. Try again.\n");
804: exit(1);
805: }
806: /* Destroy the other copy. */
807: memset(passphrase2, 0, strlen(passphrase2));
808: xfree(passphrase2);
809: }
810:
811: /* Save the file using the new passphrase. */
1.52 markus 812: if (!key_save_private(private, identity_file, passphrase1, comment)) {
1.56 markus 813: printf("Saving the key failed: %s.\n", identity_file);
1.12 markus 814: memset(passphrase1, 0, strlen(passphrase1));
815: xfree(passphrase1);
1.19 markus 816: key_free(private);
1.12 markus 817: xfree(comment);
818: exit(1);
819: }
820: /* Destroy the passphrase and the copy of the key in memory. */
821: memset(passphrase1, 0, strlen(passphrase1));
822: xfree(passphrase1);
1.19 markus 823: key_free(private); /* Destroys contents */
1.12 markus 824: xfree(comment);
1.1 deraadt 825:
1.12 markus 826: printf("Your identification has been saved with the new passphrase.\n");
827: exit(0);
1.1 deraadt 828: }
829:
1.105 jakob 830: /*
831: * Print the SSHFP RR.
832: */
833: static void
1.116 avsm 834: do_print_resource_record(struct passwd *pw, char *hname)
1.105 jakob 835: {
836: Key *public;
837: char *comment = NULL;
838: struct stat st;
839:
840: if (!have_identity)
841: ask_filename(pw, "Enter file in which the key is");
842: if (stat(identity_file, &st) < 0) {
843: perror(identity_file);
844: exit(1);
845: }
846: public = key_load_public(identity_file, &comment);
847: if (public != NULL) {
1.116 avsm 848: export_dns_rr(hname, public, stdout, print_generic);
1.105 jakob 849: key_free(public);
850: xfree(comment);
851: exit(0);
852: }
853: if (comment)
854: xfree(comment);
855:
856: printf("failed to read v2 public key from %s.\n", identity_file);
857: exit(1);
858: }
859:
1.13 deraadt 860: /*
861: * Change the comment of a private key file.
862: */
1.63 itojun 863: static void
1.2 provos 864: do_change_comment(struct passwd *pw)
1.1 deraadt 865: {
1.46 deraadt 866: char new_comment[1024], *comment, *passphrase;
1.52 markus 867: Key *private;
868: Key *public;
1.12 markus 869: struct stat st;
870: FILE *f;
1.46 deraadt 871: int fd;
1.12 markus 872:
873: if (!have_identity)
874: ask_filename(pw, "Enter file in which the key is");
875: if (stat(identity_file, &st) < 0) {
876: perror(identity_file);
877: exit(1);
878: }
1.52 markus 879: private = key_load_private(identity_file, "", &comment);
880: if (private == NULL) {
1.12 markus 881: if (identity_passphrase)
882: passphrase = xstrdup(identity_passphrase);
883: else if (identity_new_passphrase)
884: passphrase = xstrdup(identity_new_passphrase);
885: else
1.65 markus 886: passphrase = read_passphrase("Enter passphrase: ",
887: RP_ALLOW_STDIN);
1.12 markus 888: /* Try to load using the passphrase. */
1.52 markus 889: private = key_load_private(identity_file, passphrase, &comment);
890: if (private == NULL) {
1.12 markus 891: memset(passphrase, 0, strlen(passphrase));
892: xfree(passphrase);
893: printf("Bad passphrase.\n");
894: exit(1);
895: }
1.52 markus 896: } else {
897: passphrase = xstrdup("");
1.12 markus 898: }
1.52 markus 899: if (private->type != KEY_RSA1) {
900: fprintf(stderr, "Comments are only supported for RSA1 keys.\n");
901: key_free(private);
902: exit(1);
1.86 deraadt 903: }
1.12 markus 904: printf("Key now has comment '%s'\n", comment);
905:
906: if (identity_comment) {
907: strlcpy(new_comment, identity_comment, sizeof(new_comment));
908: } else {
909: printf("Enter new comment: ");
910: fflush(stdout);
911: if (!fgets(new_comment, sizeof(new_comment), stdin)) {
912: memset(passphrase, 0, strlen(passphrase));
1.19 markus 913: key_free(private);
1.12 markus 914: exit(1);
915: }
916: if (strchr(new_comment, '\n'))
917: *strchr(new_comment, '\n') = 0;
918: }
919:
920: /* Save the file using the new passphrase. */
1.52 markus 921: if (!key_save_private(private, identity_file, passphrase, new_comment)) {
1.56 markus 922: printf("Saving the key failed: %s.\n", identity_file);
1.12 markus 923: memset(passphrase, 0, strlen(passphrase));
924: xfree(passphrase);
1.19 markus 925: key_free(private);
1.12 markus 926: xfree(comment);
927: exit(1);
928: }
929: memset(passphrase, 0, strlen(passphrase));
930: xfree(passphrase);
1.52 markus 931: public = key_from_private(private);
1.19 markus 932: key_free(private);
1.12 markus 933:
934: strlcat(identity_file, ".pub", sizeof(identity_file));
1.46 deraadt 935: fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);
936: if (fd == -1) {
1.12 markus 937: printf("Could not save your public key in %s\n", identity_file);
938: exit(1);
939: }
1.46 deraadt 940: f = fdopen(fd, "w");
941: if (f == NULL) {
942: printf("fdopen %s failed", identity_file);
943: exit(1);
944: }
1.19 markus 945: if (!key_write(public, f))
946: fprintf(stderr, "write key failed");
947: key_free(public);
948: fprintf(f, " %s\n", new_comment);
1.12 markus 949: fclose(f);
1.1 deraadt 950:
1.12 markus 951: xfree(comment);
1.1 deraadt 952:
1.12 markus 953: printf("The comment in your key file has been changed.\n");
954: exit(0);
1.1 deraadt 955: }
956:
1.63 itojun 957: static void
1.10 markus 958: usage(void)
959: {
1.77 jakob 960: fprintf(stderr, "Usage: %s [options]\n", __progname);
961: fprintf(stderr, "Options:\n");
962: fprintf(stderr, " -b bits Number of bits in the key to create.\n");
963: fprintf(stderr, " -c Change comment in private and public key files.\n");
964: fprintf(stderr, " -e Convert OpenSSH to IETF SECSH key file.\n");
965: fprintf(stderr, " -f filename Filename of the key file.\n");
1.105 jakob 966: fprintf(stderr, " -g Use generic DNS resource record format.\n");
1.77 jakob 967: fprintf(stderr, " -i Convert IETF SECSH to OpenSSH key file.\n");
968: fprintf(stderr, " -l Show fingerprint of key file.\n");
969: fprintf(stderr, " -p Change passphrase of private key file.\n");
970: fprintf(stderr, " -q Quiet.\n");
971: fprintf(stderr, " -y Read private key file and print public key.\n");
972: fprintf(stderr, " -t type Specify type of key to create.\n");
973: fprintf(stderr, " -B Show bubblebabble digest of key file.\n");
1.117.2.1 brad 974: fprintf(stderr, " -H Hash names in known_hosts file\n");
975: fprintf(stderr, " -F hostname Find hostname in known hosts file\n");
1.77 jakob 976: fprintf(stderr, " -C comment Provide new comment.\n");
977: fprintf(stderr, " -N phrase Provide new passphrase.\n");
978: fprintf(stderr, " -P phrase Provide old passphrase.\n");
1.105 jakob 979: fprintf(stderr, " -r hostname Print DNS resource record.\n");
1.77 jakob 980: #ifdef SMARTCARD
981: fprintf(stderr, " -D reader Download public key from smartcard.\n");
982: fprintf(stderr, " -U reader Upload private key to smartcard.\n");
983: #endif /* SMARTCARD */
984:
1.107 djm 985: fprintf(stderr, " -G file Generate candidates for DH-GEX moduli\n");
986: fprintf(stderr, " -T file Screen candidates for DH-GEX moduli\n");
987:
1.12 markus 988: exit(1);
1.10 markus 989: }
990:
1.13 deraadt 991: /*
992: * Main program for key management.
993: */
1.2 provos 994: int
995: main(int ac, char **av)
1.1 deraadt 996: {
1.87 djm 997: char dotsshdir[MAXPATHLEN], comment[1024], *passphrase1, *passphrase2;
1.112 djm 998: char out_file[MAXPATHLEN], *reader_id = NULL;
1.117.2.1 brad 999: char *rr_hostname = NULL;
1.46 deraadt 1000: Key *private, *public;
1.12 markus 1001: struct passwd *pw;
1002: struct stat st;
1.107 djm 1003: int opt, type, fd, download = 0, memory = 0;
1004: int generator_wanted = 0, trials = 100;
1005: int do_gen_candidates = 0, do_screen_candidates = 0;
1.113 djm 1006: int log_level = SYSLOG_LEVEL_INFO;
1.107 djm 1007: BIGNUM *start = NULL;
1.12 markus 1008: FILE *f;
1.33 markus 1009:
1.12 markus 1010: extern int optind;
1011: extern char *optarg;
1012:
1.26 markus 1013: SSLeay_add_all_algorithms();
1.107 djm 1014: log_init(av[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
1.19 markus 1015:
1.14 markus 1016: /* we need this for the home * directory. */
1.12 markus 1017: pw = getpwuid(getuid());
1018: if (!pw) {
1019: printf("You don't exist, go away!\n");
1020: exit(1);
1021: }
1.19 markus 1022: if (gethostname(hostname, sizeof(hostname)) < 0) {
1023: perror("gethostname");
1024: exit(1);
1025: }
1.14 markus 1026:
1.107 djm 1027: while ((opt = getopt(ac, av,
1.117.2.1 brad 1028: "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
1.12 markus 1029: switch (opt) {
1030: case 'b':
1031: bits = atoi(optarg);
1032: if (bits < 512 || bits > 32768) {
1033: printf("Bits has bad value.\n");
1034: exit(1);
1035: }
1036: break;
1.117.2.1 brad 1037: case 'F':
1038: find_host = 1;
1039: rr_hostname = optarg;
1040: break;
1041: case 'H':
1042: hash_hosts = 1;
1043: break;
1044: case 'R':
1045: delete_host = 1;
1046: rr_hostname = optarg;
1047: break;
1.12 markus 1048: case 'l':
1049: print_fingerprint = 1;
1050: break;
1.49 markus 1051: case 'B':
1052: print_bubblebabble = 1;
1053: break;
1.12 markus 1054: case 'p':
1055: change_passphrase = 1;
1056: break;
1057: case 'c':
1058: change_comment = 1;
1059: break;
1060: case 'f':
1061: strlcpy(identity_file, optarg, sizeof(identity_file));
1062: have_identity = 1;
1063: break;
1.105 jakob 1064: case 'g':
1065: print_generic = 1;
1066: break;
1.12 markus 1067: case 'P':
1068: identity_passphrase = optarg;
1069: break;
1070: case 'N':
1071: identity_new_passphrase = optarg;
1072: break;
1073: case 'C':
1074: identity_comment = optarg;
1075: break;
1076: case 'q':
1077: quiet = 1;
1.20 deraadt 1078: break;
1.57 markus 1079: case 'e':
1.19 markus 1080: case 'x':
1.57 markus 1081: /* export key */
1.19 markus 1082: convert_to_ssh2 = 1;
1083: break;
1.57 markus 1084: case 'i':
1.19 markus 1085: case 'X':
1.57 markus 1086: /* import key */
1.19 markus 1087: convert_from_ssh2 = 1;
1088: break;
1089: case 'y':
1090: print_public = 1;
1.47 jakob 1091: break;
1.19 markus 1092: case 'd':
1.33 markus 1093: key_type_name = "dsa";
1.19 markus 1094: break;
1.33 markus 1095: case 't':
1096: key_type_name = optarg;
1097: break;
1.75 markus 1098: case 'D':
1099: download = 1;
1.76 jakob 1100: case 'U':
1.75 markus 1101: reader_id = optarg;
1.66 markus 1102: break;
1.113 djm 1103: case 'v':
1104: if (log_level == SYSLOG_LEVEL_INFO)
1105: log_level = SYSLOG_LEVEL_DEBUG1;
1106: else {
1.117 deraadt 1107: if (log_level >= SYSLOG_LEVEL_DEBUG1 &&
1.113 djm 1108: log_level < SYSLOG_LEVEL_DEBUG3)
1109: log_level++;
1110: }
1111: break;
1.105 jakob 1112: case 'r':
1.117.2.1 brad 1113: rr_hostname = optarg;
1.105 jakob 1114: break;
1.107 djm 1115: case 'W':
1116: generator_wanted = atoi(optarg);
1117: if (generator_wanted < 1)
1118: fatal("Desired generator has bad value.");
1119: break;
1120: case 'a':
1121: trials = atoi(optarg);
1122: break;
1123: case 'M':
1124: memory = atoi(optarg);
1125: break;
1126: case 'G':
1127: do_gen_candidates = 1;
1128: strlcpy(out_file, optarg, sizeof(out_file));
1129: break;
1130: case 'T':
1131: do_screen_candidates = 1;
1132: strlcpy(out_file, optarg, sizeof(out_file));
1133: break;
1134: case 'S':
1135: /* XXX - also compare length against bits */
1136: if (BN_hex2bn(&start, optarg) == 0)
1137: fatal("Invalid start point.");
1138: break;
1.12 markus 1139: case '?':
1140: default:
1141: usage();
1142: }
1143: }
1.113 djm 1144:
1145: /* reinit */
1146: log_init(av[0], log_level, SYSLOG_FACILITY_USER, 1);
1147:
1.12 markus 1148: if (optind < ac) {
1149: printf("Too many arguments.\n");
1.87 djm 1150: usage();
1151: }
1.12 markus 1152: if (change_passphrase && change_comment) {
1153: printf("Can only have one of -p and -c.\n");
1154: usage();
1155: }
1.117.2.1 brad 1156: if (delete_host || hash_hosts || find_host)
1157: do_known_hosts(pw, rr_hostname);
1.49 markus 1158: if (print_fingerprint || print_bubblebabble)
1.12 markus 1159: do_fingerprint(pw);
1160: if (change_passphrase)
1161: do_change_passphrase(pw);
1162: if (change_comment)
1163: do_change_comment(pw);
1.19 markus 1164: if (convert_to_ssh2)
1165: do_convert_to_ssh2(pw);
1166: if (convert_from_ssh2)
1167: do_convert_from_ssh2(pw);
1168: if (print_public)
1169: do_print_public(pw);
1.117.2.1 brad 1170: if (rr_hostname != NULL) {
1171: do_print_resource_record(pw, rr_hostname);
1.105 jakob 1172: }
1.75 markus 1173: if (reader_id != NULL) {
1.74 markus 1174: #ifdef SMARTCARD
1.75 markus 1175: if (download)
1176: do_download(pw, reader_id);
1177: else
1178: do_upload(pw, reader_id);
1.78 jakob 1179: #else /* SMARTCARD */
1.74 markus 1180: fatal("no support for smartcards.");
1.78 jakob 1181: #endif /* SMARTCARD */
1.107 djm 1182: }
1183:
1184: if (do_gen_candidates) {
1185: FILE *out = fopen(out_file, "w");
1.111 djm 1186:
1.107 djm 1187: if (out == NULL) {
1188: error("Couldn't open modulus candidate file \"%s\": %s",
1189: out_file, strerror(errno));
1190: return (1);
1191: }
1192: if (gen_candidates(out, memory, bits, start) != 0)
1193: fatal("modulus candidate generation failed\n");
1194:
1195: return (0);
1196: }
1197:
1198: if (do_screen_candidates) {
1199: FILE *in;
1200: FILE *out = fopen(out_file, "w");
1201:
1202: if (have_identity && strcmp(identity_file, "-") != 0) {
1203: if ((in = fopen(identity_file, "r")) == NULL) {
1204: fatal("Couldn't open modulus candidate "
1.111 djm 1205: "file \"%s\": %s", identity_file,
1.107 djm 1206: strerror(errno));
1207: }
1208: } else
1209: in = stdin;
1210:
1211: if (out == NULL) {
1212: fatal("Couldn't open moduli file \"%s\": %s",
1213: out_file, strerror(errno));
1214: }
1215: if (prime_test(in, out, trials, generator_wanted) != 0)
1216: fatal("modulus screening failed\n");
1.108 markus 1217: return (0);
1.75 markus 1218: }
1.12 markus 1219:
1220: arc4random_stir();
1221:
1.88 markus 1222: if (key_type_name == NULL) {
1223: printf("You must specify a key type (-t).\n");
1224: usage();
1225: }
1.35 markus 1226: type = key_type_from_name(key_type_name);
1227: if (type == KEY_UNSPEC) {
1228: fprintf(stderr, "unknown key type %s\n", key_type_name);
1229: exit(1);
1.19 markus 1230: }
1.33 markus 1231: if (!quiet)
1.35 markus 1232: printf("Generating public/private %s key pair.\n", key_type_name);
1.33 markus 1233: private = key_generate(type, bits);
1234: if (private == NULL) {
1235: fprintf(stderr, "key_generate failed");
1236: exit(1);
1237: }
1238: public = key_from_private(private);
1.12 markus 1239:
1240: if (!have_identity)
1241: ask_filename(pw, "Enter file in which to save the key");
1242:
1243: /* Create ~/.ssh directory if it doesn\'t already exist. */
1.40 markus 1244: snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR);
1.12 markus 1245: if (strstr(identity_file, dotsshdir) != NULL &&
1246: stat(dotsshdir, &st) < 0) {
1.29 djm 1247: if (mkdir(dotsshdir, 0700) < 0)
1.12 markus 1248: error("Could not create directory '%s'.", dotsshdir);
1249: else if (!quiet)
1250: printf("Created directory '%s'.\n", dotsshdir);
1251: }
1252: /* If the file already exists, ask the user to confirm. */
1253: if (stat(identity_file, &st) >= 0) {
1254: char yesno[3];
1255: printf("%s already exists.\n", identity_file);
1256: printf("Overwrite (y/n)? ");
1257: fflush(stdout);
1258: if (fgets(yesno, sizeof(yesno), stdin) == NULL)
1259: exit(1);
1260: if (yesno[0] != 'y' && yesno[0] != 'Y')
1261: exit(1);
1262: }
1263: /* Ask for a passphrase (twice). */
1264: if (identity_passphrase)
1265: passphrase1 = xstrdup(identity_passphrase);
1266: else if (identity_new_passphrase)
1267: passphrase1 = xstrdup(identity_new_passphrase);
1268: else {
1269: passphrase_again:
1270: passphrase1 =
1.65 markus 1271: read_passphrase("Enter passphrase (empty for no "
1272: "passphrase): ", RP_ALLOW_STDIN);
1273: passphrase2 = read_passphrase("Enter same passphrase again: ",
1274: RP_ALLOW_STDIN);
1.12 markus 1275: if (strcmp(passphrase1, passphrase2) != 0) {
1.65 markus 1276: /*
1277: * The passphrases do not match. Clear them and
1278: * retry.
1279: */
1.12 markus 1280: memset(passphrase1, 0, strlen(passphrase1));
1281: memset(passphrase2, 0, strlen(passphrase2));
1282: xfree(passphrase1);
1283: xfree(passphrase2);
1284: printf("Passphrases do not match. Try again.\n");
1285: goto passphrase_again;
1286: }
1287: /* Clear the other copy of the passphrase. */
1288: memset(passphrase2, 0, strlen(passphrase2));
1289: xfree(passphrase2);
1290: }
1291:
1292: if (identity_comment) {
1293: strlcpy(comment, identity_comment, sizeof(comment));
1294: } else {
1.18 markus 1295: /* Create default commend field for the passphrase. */
1.12 markus 1296: snprintf(comment, sizeof comment, "%s@%s", pw->pw_name, hostname);
1297: }
1298:
1299: /* Save the key with the given passphrase and comment. */
1.52 markus 1300: if (!key_save_private(private, identity_file, passphrase1, comment)) {
1.56 markus 1301: printf("Saving the key failed: %s.\n", identity_file);
1.12 markus 1302: memset(passphrase1, 0, strlen(passphrase1));
1303: xfree(passphrase1);
1304: exit(1);
1305: }
1306: /* Clear the passphrase. */
1307: memset(passphrase1, 0, strlen(passphrase1));
1308: xfree(passphrase1);
1309:
1310: /* Clear the private key and the random number generator. */
1.33 markus 1311: key_free(private);
1.12 markus 1312: arc4random_stir();
1313:
1314: if (!quiet)
1315: printf("Your identification has been saved in %s.\n", identity_file);
1316:
1317: strlcat(identity_file, ".pub", sizeof(identity_file));
1.46 deraadt 1318: fd = open(identity_file, O_WRONLY | O_CREAT | O_TRUNC, 0644);
1319: if (fd == -1) {
1.12 markus 1320: printf("Could not save your public key in %s\n", identity_file);
1.46 deraadt 1321: exit(1);
1322: }
1323: f = fdopen(fd, "w");
1324: if (f == NULL) {
1325: printf("fdopen %s failed", identity_file);
1.12 markus 1326: exit(1);
1327: }
1.19 markus 1328: if (!key_write(public, f))
1329: fprintf(stderr, "write key failed");
1330: fprintf(f, " %s\n", comment);
1.12 markus 1331: fclose(f);
1332:
1333: if (!quiet) {
1.50 markus 1334: char *fp = key_fingerprint(public, SSH_FP_MD5, SSH_FP_HEX);
1.19 markus 1335: printf("Your public key has been saved in %s.\n",
1336: identity_file);
1.12 markus 1337: printf("The key fingerprint is:\n");
1.50 markus 1338: printf("%s %s\n", fp, comment);
1339: xfree(fp);
1.12 markus 1340: }
1.19 markus 1341:
1342: key_free(public);
1.12 markus 1343: exit(0);
1.1 deraadt 1344: }